Commentary from Mr. Geoff Webb, Senior Director, Solution Strategy, NetIQ around the recent news on ‘Google widening its encryption’ – Google to Boost Encrypted Websites in Rankings & ‘Russian breach hacking’.

#’Google widening its encryption’ 

I think it’s a great move by Google to use their ranking systems to promote better web security. As we’ve so clearly seen in the news in the last few days, better web security is going to continue to be essential to defeating cyber criminals who target vulnerable sites to steal information, usernames and passwords. By including HTTPS as an element of their ranking systems Google is using its considerable influence to both encourage sites to improve security and to also bring attention to the fact that many sites still reply on unsecure HTTP.

Website owners who had not implemented HTTPS as of yet may well re-evaluate that decision in light of the fact that Google is now using the presence of HTTPS as a ranking factor – and that benefits everyone.

Advantages of HTTPS:
HTTPS is becoming especially important as attackers target unsecured Wi-Fi locations (such as your local coffee shop) and either listen in to your web traffic or even step in and impersonate the site you think you’re connecting to, enabling them steal all kinds of potentially sensitive information. HTTPS does require a little more work on the part of the web host but the benefits in ensuring that the user’s communication is secure, private and untampered with are so significant there’s really no reason not to use it. Once you are using an HTTPS connection, it’s very difficult, if not impossible, for an attacker to listen in and steal data, or to pretend to be the target website and misdirect you.

Broader Trend:
As more and more people use mobile computing technology to connect to websites from a variety of locations, and as more and more of our lives move online, ensuring the confidentiality and integrity of communications with websites is essential. HTTPS is one, very important element of keeping us all secure online.

 # ‘Russian breach hacking’

Security experts at NetIQ have commented that the sheer scale of the ‘Russian breach hacking’ demonstrates that we have a long way to go in securing web-facing applications.

Mr. Geoff Webb, Senior Director, Solution Strategy, NetIQAccording to Geoff Webb, Senior Director, Solution Strategy, NetIQ, this is a huge haul of accounts and passwords and as a result it’s very significant. It will be some time before we get a sense of how wide reaching the potential problem here is, if in fact we ever really get insight into the impact.

Although it will be compared to the Target breach, this is a very different kind of problem – because while the Target breach stole credit cards from a retailer, it’s impossible to know how many sites will be impacted by this hacker group.

Small groups of hackers are able to perpetrate this kind of immense data theft because there is already extensive information available to assist them in navigating to vulnerable systems around the globe – hackers have mapped the internet to a high degree of accuracy and that information is readily available. Furthermore, the advent of cloud computing presents these hacker groups with massive compute power on tap for low cost. They can use botnets to identify and attack sites, cloud compute resources to crunch the resulting data, and remain under the radar the entire time.

The Breach itself:

It’s likely that well-known vulnerabilities were exploited to steal passwords – in fact it’s very likely given the sheer scale of attacks. That includes vulnerabilities in the web-facing applications and systems, as well as vulnerabilities in the way passwords are created and stored.

Organisations don’t always protect passwords as well as they should – either using weak hashing algorithms, unsalted hashes, or in some cases, not even protecting the passwords at all. Many companies don’t enforce good password policies, and users employ poor password hygiene – reusing the same passwords in multiple places – meaning that any single username and password combination could present an open door to many sites.

The Wider Implications:

This again signals we are reaching the end of the usable lifespan of the username/password combination to security. The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user.

People don’t want to deal with complex passwords they use only once, and as we keep forcing users to be responsible for this security it’s unsurprising we keep seeing the same results – weak passwords, reuse of passwords and breaches that cascade to many sites.

Leave a Reply